Support non SHA256/SHA384/SHA512 HTTPRepository (#8118)

Signed-off-by: Bernát Gábor <bgabor8@bloomberg.net>

Support non SHA256/SHA384/SHA512 HTTPRepository (#8118)
Signed-off-by: Bernát Gábor <bgabor8@bloomberg.net>
c719dced · Bernát Gábor · GitHub · fedff6da · c719dced · c719dced
Commit c719dced authored Jun 24, 2023 by Bernát Gábor Committed by GitHub Jun 24, 2023
Showing with 57 additions and 19 deletions

src/poetry/installation/chooser.py
+7 -0

src/poetry/repositories/http_repository.py
+20 -18

tests/helpers.py
+2 -1

tests/installation/test_chooser.py
+22 -0

tests/repositories/fixtures/legacy/demo.html
+6 -0

No files found.
--- a/src/poetry/installation/chooser.py
+++ b/src/poetry/installation/chooser.py
@@ -8,6 +8,7 @@ from typing import Any
 from poetry.config.config import Config
 from poetry.config.config import PackageFilterPolicy
+from poetry.repositories.http_repository import HTTPRepository
 from poetry.utils.wheel import Wheel
@@ -103,6 +104,12 @@ class Chooser:
            assert link.hash_name is not None
            h = link.hash_name + ":" + link.hash
+            if (
+                h not in hashes
+                and link.hash_name not in ("sha256", "sha384", "sha512")
+                and isinstance(repository, HTTPRepository)
+            ):
+                h = repository.calculate_sha256(link) or h
            if h not in hashes:
                logger.debug(
                    "Skipping %s as %s checksum does not match expected value",

--- a/src/poetry/repositories/http_repository.py
+++ b/src/poetry/repositories/http_repository.py
@@ -226,24 +226,7 @@ class HTTPRepository(CachedRepository):
                and link.hash_name not in ("sha256", "sha384", "sha512")
                and hasattr(hashlib, link.hash_name)
            ):
-                with self._cached_or_downloaded_file(link) as filepath:
+                file_hash = self.calculate_sha256(link) or file_hash
-                    known_hash = (
-                        getattr(hashlib, link.hash_name)() if link.hash_name else None
-                    )
-                    required_hash = hashlib.sha256()
-                    chunksize = 4096
-                    with filepath.open("rb") as f:
-                        while True:
-                            chunk = f.read(chunksize)
-                            if not chunk:
-                                break
-                            if known_hash:
-                                known_hash.update(chunk)
-                            required_hash.update(chunk)
-                    if not known_hash or known_hash.hexdigest() == link.hash:
-                        file_hash = f"{required_hash.name}:{required_hash.hexdigest()}"
            files.append({"file": link.filename, "hash": file_hash})
@@ -257,6 +240,25 @@ class HTTPRepository(CachedRepository):
        return data.asdict()
+    def calculate_sha256(self, link: Link) -> str | None:
+        with self._cached_or_downloaded_file(link) as filepath:
+            known_hash = getattr(hashlib, link.hash_name)() if link.hash_name else None
+            required_hash = hashlib.sha256()
+            chunksize = 4096
+            with filepath.open("rb") as f:
+                while True:
+                    chunk = f.read(chunksize)
+                    if not chunk:
+                        break
+                    if known_hash:
+                        known_hash.update(chunk)
+                    required_hash.update(chunk)
+            if not known_hash or known_hash.hexdigest() == link.hash:
+                return f"{required_hash.name}:{required_hash.hexdigest()}"
+        return None
    def _get_response(self, endpoint: str) -> requests.Response | None:
        url = self._url + endpoint
        try:

--- a/tests/helpers.py
+++ b/tests/helpers.py
@@ -36,6 +36,7 @@ if TYPE_CHECKING:
    from poetry.installation.operations.operation import Operation
    from poetry.poetry import Poetry
+    from poetry.utils.authenticator import Authenticator
 FIXTURE_PATH = Path(__file__).parent / "fixtures"
@@ -120,7 +121,7 @@ def mock_clone(
    return MockDulwichRepo(dest)
-def mock_download(url: str, dest: Path) -> None:
+def mock_download(url: str, dest: Path, session: Authenticator | None = None) -> None:
    parts = urllib.parse.urlparse(url)
    fixture = FIXTURE_PATH / parts.path.lstrip("/")

--- a/tests/installation/test_chooser.py
+++ b/tests/installation/test_chooser.py
@@ -405,3 +405,25 @@ def test_chooser_throws_an_error_if_package_hashes_do_not_match(
    with pytest.raises(RuntimeError) as e:
        chooser.choose_for(package)
    assert files[0]["hash"] in str(e)
+@pytest.mark.usefixtures("mock_legacy")
+def test_chooser_md5_remote_fallback_to_sha256_inline_calculation(
+    env: MockEnv, pool: RepositoryPool
+) -> None:
+    chooser = Chooser(pool, env)
+    package = Package(
+        "demo",
+        "0.1.0",
+        source_type="legacy",
+        source_reference="foo",
+        source_url="https://foo.bar/simple/",
+    )
+    package.files = [
+        {
+            "hash": "sha256:9fa123ad707a5c6c944743bf3e11a0e80d86cb518d3cf25320866ca3ef43e2ad",  # noqa: E501
+            "filename": "demo-0.1.0.tar.gz",
+        }
+    ]
+    res = chooser.choose_for(package)
+    assert res.filename == "demo-0.1.0.tar.gz"
--- a/tests/repositories/fixtures/legacy/demo.html
+++ b/tests/repositories/fixtures/legacy/demo.html
+<html>
+<head><title>Simple Index</title><meta name="api-version" value="2" /></head>
+<body>
+<a href="https://files.pythonhosted.org/distributions/demo-0.1.0.tar.gz#md5=d1912c917363a64e127318655f7d1fe7" rel="internal">demo-0.1.0.tar.gz</a><br/>
+</body>
+</html>