Resolve git refs to git revisions [#1331] (#1337)

* Check that a git dependency resolves to a revision

A git dependency should be resolved to a full git revision (SHA-1).
When dealing with a git dependency, this is the only way to lock
the dependency in-place (because revisions are immutable).

* Check that a pinned git dependency resolves to a revision

There are three mutually exclusive parameters that can be used to
pin a git dependency: `branch`, `tag`, and `rev`.  Since they all
can be moving targets, they should be resolved to a full git
revision (SHA-1) to ensure a proper in-place lock.

This change highlights bug #1331 and currently fails.

* Make sure a git reference resolves to a revision

Do not lock a git dependency to a named reference but to a full
git revision instead.  This ensures reproducibility and security
as git revisions are immutable.

Fixes: #1331

poetry/puzzle/provider.py

@@ -172,9 +172,6 @@ class Provider:
             name=dependency.name,
             name=dependency.name,
         )
         )
 
 
-        if dependency.tag or dependency.rev:
-            package.source_reference = dependency.reference
-
         for extra in dependency.extras:
         for extra in dependency.extras:
             if extra in package.extras:
             if extra in package.extras:
                 for dep in package.extras[extra]:
                 for dep in package.extras[extra]:

tests/puzzle/test_solver.py

@@ -928,6 +928,11 @@ def test_solver_can_resolve_git_dependencies(solver, repo, package):
         ],
         ],
     )
     )
 
 
+    op = ops[1]
+
+    assert op.package.source_type == "git"
+    assert op.package.source_reference.startswith("9cf87a2")
+
 
 
 def test_solver_can_resolve_git_dependencies_with_extras(solver, repo, package):
 def test_solver_can_resolve_git_dependencies_with_extras(solver, repo, package):
     pendulum = get_package("pendulum", "2.0.3")
     pendulum = get_package("pendulum", "2.0.3")
@@ -951,6 +956,37 @@ def test_solver_can_resolve_git_dependencies_with_extras(solver, repo, package):
     )
     )
 
 
 
 
+@pytest.mark.parametrize(
+    "ref",
+    [{"branch": "a-branch"}, {"tag": "a-tag"}, {"rev": "9cf8"}],
+    ids=["branch", "tag", "rev"],
+)
+def test_solver_can_resolve_git_dependencies_with_ref(solver, repo, package, ref):
+    pendulum = get_package("pendulum", "2.0.3")
+    cleo = get_package("cleo", "1.0.0")
+    repo.add_package(pendulum)
+    repo.add_package(cleo)
+
+    git_config = {"git": "https://github.com/demo/demo.git"}
+    git_config.update(ref)
+    package.add_dependency("demo", git_config)
+
+    ops = solver.solve()
+
+    check_solver_result(
+        ops,
+        [
+            {"job": "install", "package": pendulum},
+            {"job": "install", "package": get_package("demo", "0.1.2")},
+        ],
+    )
+
+    op = ops[1]
+
+    assert op.package.source_type == "git"
+    assert op.package.source_reference.startswith("9cf87a2")
+
+
 def test_solver_does_not_trigger_conflict_for_python_constraint_if_python_requirement_is_compatible(
 def test_solver_does_not_trigger_conflict_for_python_constraint_if_python_requirement_is_compatible(
     solver, repo, package
     solver, repo, package
 ):
 ):