Ensure all accepted hash types are checked

sdispater · sdispater · commit 43b7c612cd34 · 2021-09-21T21:54:47.000+02:00
diff --git a/poetry.lock b/poetry.lock
diff --git a/poetry/installation/executor.py b/poetry/installation/executor.py
@@ -608,16 +608,30 @@ def _download_link(self, operation, link):
                 archive = self._chef.prepare(archive)
 
         if package.files:
-            archive_hash = (
-                "sha256:"
-                + FileDependency(
-                    package.name,
-                    Path(archive.path) if isinstance(archive, Link) else archive,
-                ).hash()
-            )
-            if archive_hash not in {f["hash"] for f in package.files}:
+            hashes = {f["hash"] for f in package.files}
+            hash_types = {h.split(":")[0] for h in hashes}
+            archive_hashes = set()
+            for hash_type in hash_types:
+                archive_hashes.add(
+                    "{}:{}".format(
+                        hash_type,
+                        FileDependency(
+                            package.name,
+                            Path(archive.path)
+                            if isinstance(archive, Link)
+                            else archive,
+                        ).hash(hash_type),
+                    )
+                )
+
+            if archive_hashes.isdisjoint(hashes):
                 raise RuntimeError(
-                    "Invalid hash for {} using archive {}".format(package, archive.name)
+                    "Invalid hashes ({}) for {} using archive {}. Expected one of {}.".format(
+                        ", ".join(sorted(archive_hashes)),
+                        package,
+                        archive.name,
+                        ", ".join(sorted(hashes)),
+                    )
                 )
 
         return archive
diff --git a/pyproject.toml b/pyproject.toml
@@ -24,7 +24,7 @@ classifiers = [
 [tool.poetry.dependencies]
 python = "~2.7 || ^3.5"
 
-poetry-core = "~1.0.5"
+poetry-core = "~1.0.6"
 cleo = "^0.8.1"
 clikit = "^0.6.2"
 crashtest = { version = "^0.3.0", python = "^3.6" }
diff --git a/tests/installation/test_executor.py b/tests/installation/test_executor.py
@@ -11,6 +11,8 @@
 
 from poetry.config.config import Config
 from poetry.core.packages.package import Package
+from poetry.core.packages.utils.link import Link
+from poetry.installation.chef import Chef
 from poetry.installation.executor import Executor
 from poetry.installation.operations import Install
 from poetry.installation.operations import Uninstall
@@ -52,7 +54,9 @@ def callback(request, uri, headers):
             return [200, headers, f.read()]
 
     http.register_uri(
-        http.GET, re.compile("^https://files.pythonhosted.org/.*$"), body=callback,
+        http.GET,
+        re.compile("^https://files.pythonhosted.org/.*$"),
+        body=callback,
     )
 
 
@@ -251,3 +255,81 @@ def test_executor_should_delete_incomplete_downloads(
         executor._download(Install(Package("tomlkit", "0.5.3")))
 
     assert not destination_fixture.exists()
+
+
+def test_executor_should_check_every_possible_hash_types(
+    config, io, pool, mocker, fixture_dir, tmp_dir
+):
+    mocker.patch.object(
+        Chef,
+        "get_cached_archive_for_link",
+        side_effect=lambda link: link,
+    )
+    mocker.patch.object(
+        Executor,
+        "_download_archive",
+        return_value=fixture_dir("distributions").joinpath(
+            "demo-0.1.0-py2.py3-none-any.whl"
+        ),
+    )
+
+    env = MockEnv(path=Path(tmp_dir))
+    executor = Executor(env, pool, config, io)
+
+    package = Package("demo", "0.1.0")
+    package.files = [
+        {
+            "file": "demo-0.1.0-py2.py3-none-any.whl",
+            "hash": "md5:15507846fd4299596661d0197bfb4f90",
+        }
+    ]
+
+    archive = executor._download_link(
+        Install(package), Link("https://example.com/demo-0.1.0-py2.py3-none-any.whl")
+    )
+
+    assert archive == fixture_dir("distributions").joinpath(
+        "demo-0.1.0-py2.py3-none-any.whl"
+    )
+
+
+def test_executor_should_check_every_possible_hash_types_before_failing(
+    config, io, pool, mocker, fixture_dir, tmp_dir
+):
+    mocker.patch.object(
+        Chef,
+        "get_cached_archive_for_link",
+        side_effect=lambda link: link,
+    )
+    mocker.patch.object(
+        Executor,
+        "_download_archive",
+        return_value=fixture_dir("distributions").joinpath(
+            "demo-0.1.0-py2.py3-none-any.whl"
+        ),
+    )
+
+    env = MockEnv(path=Path(tmp_dir))
+    executor = Executor(env, pool, config, io)
+
+    package = Package("demo", "0.1.0")
+    package.files = [
+        {"file": "demo-0.1.0-py2.py3-none-any.whl", "hash": "md5:123456"},
+        {"file": "demo-0.1.0-py2.py3-none-any.whl", "hash": "sha256:123456"},
+    ]
+
+    expected_message = (
+        "Invalid hashes "
+        "("
+        "md5:15507846fd4299596661d0197bfb4f90, "
+        "sha256:70e704135718fffbcbf61ed1fc45933cfd86951a744b681000eaaa75da31f17a"
+        ") "
+        "for demo (0.1.0) using archive demo-0.1.0-py2.py3-none-any.whl. "
+        "Expected one of md5:123456, sha256:123456."
+    )
+
+    with pytest.raises(RuntimeError, match=re.escape(expected_message)):
+        executor._download_link(
+            Install(package),
+            Link("https://example.com/demo-0.1.0-py2.py3-none-any.whl"),
+        )
