getproviders: Unify package authentication with hash lock selection

As discussed in opentofu/opentofu#2656, this consolidates the two concerns of the PackageAuthentication interface into a single function that deals both with package authentication _and_ with reporting all of the package hashes that were used to make the authentication decision. This means that any .zip archive that OpenTofu directly verifies during installation can now have its hash recorded in the dependency lock file even if that package didn't come from the provider's origin registry, which is beneficial when the first installation of a provider comes from a secondary ("mirror") source because it creates an additional hook by which that dependency lock file entry can be "upgraded" to be complete in a future "tofu init" run against the origin registry, or by the "tofu providers lock" command. Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
2025-12-25 01:00:16 -05:00 · 2025-03-21 17:25:25 -07:00
parent 754d7eb58b
commit 55855fca70
18 changed files with 1235 additions and 384 deletions
--- a/internal/getproviders/registry_source_test.go
+++ b/internal/getproviders/registry_source_test.go
@@ -142,17 +142,16 @@ func TestSourcePackageMeta(t *testing.T) {
 			[]SigningKey{
 				{ASCIIArmor: TestingPublicKey},
 			},
-			&tfaddr.Provider{Hostname: "example.com", Namespace: "awesomesauce", Type: "happycloud"},
+			tfaddr.Provider{Hostname: "example.com", Namespace: "awesomesauce", Type: "happycloud"},
 		),
 	)

 	tests := []struct {
-		provider   string
-		version    string
-		os, arch   string
-		want       PackageMeta
-		wantHashes []Hash
-		wantErr    string
+		provider string
+		version  string
+		os, arch string
+		want     PackageMeta
+		wantErr  string
 	}{
 		// These test cases are relying on behaviors of the fake provider
 		// registry server implemented in registry_client_test.go.
@@ -161,10 +160,6 @@ func TestSourcePackageMeta(t *testing.T) {
 			"1.2.0",
 			"linux", "amd64",
 			validMeta,
-			[]Hash{
-				"zh:000000000000000000000000000000000000000000000000000000000000f00d",
-				"zh:000000000000000000000000000000000000000000000000000000000000face",
-			},
 			``,
 		},
 		{
@@ -172,7 +167,6 @@ func TestSourcePackageMeta(t *testing.T) {
 			"1.2.0",
 			"nonexist", "amd64",
 			PackageMeta{},
-			nil,
 			`provider example.com/awesomesauce/happycloud 1.2.0 is not available for nonexist_amd64`,
 		},
 		{
@@ -180,7 +174,6 @@ func TestSourcePackageMeta(t *testing.T) {
 			"1.2.0",
 			"linux", "amd64",
 			PackageMeta{},
-			nil,
 			`host not.example.com does not offer a OpenTofu provider registry`,
 		},
 		{
@@ -188,7 +181,6 @@ func TestSourcePackageMeta(t *testing.T) {
 			"1.2.0",
 			"linux", "amd64",
 			PackageMeta{},
-			nil,
 			`host too-new.example.com does not support the provider registry protocol required by this OpenTofu version, but may be compatible with a different OpenTofu version`,
 		},
 		{
@@ -196,7 +188,6 @@ func TestSourcePackageMeta(t *testing.T) {
 			"1.2.0",
 			"linux", "amd64",
 			PackageMeta{},
-			nil,
 			`could not query provider registry for fails.example.com/awesomesauce/happycloud: the request failed after 2 attempts, please try again later: Get "http://placeholder-origin/fails-immediately/awesomesauce/happycloud/1.2.0/download/linux/amd64": EOF`,
 		},
 	}
@@ -241,9 +232,6 @@ func TestSourcePackageMeta(t *testing.T) {
 			if diff := cmp.Diff(got, test.want, cmpOpts); diff != "" {
 				t.Errorf("wrong result\n%s", diff)
 			}
-			if diff := cmp.Diff(test.wantHashes, got.AcceptableHashes()); diff != "" {
-				t.Errorf("wrong AcceptableHashes result\n%s", diff)
-			}
 		})
 	}