providercache: verify locked hashes for local package dirs

Previously we were only verifying locked hashes for local archive zip files, but if we have non-ziphash hashes available then we can and should also verify that a local directory matches at least one of them. This does mean that folks using filesystem mirrors but yet also running Terraform across multiple platforms will need to take some extra care to ensure the hashes pass on all relevant platforms, which could mean using "terraform providers lock" to pre-seed their lock files with hashes across all platforms, or could mean using the "packed" directory layout for the filesystem mirror so that Terraform will end up in the install-from-archive codepath instead of this install-from-directory codepath, and can thus verify ziphash too. (There's no additional documentation about the above here because there's already general information about this in the lock file documentation due to some similar -- though not identical -- situations with network mirrors.)
2025-12-25 01:00:16 -05:00 · 2020-10-27 16:44:37 -07:00
parent 24d32e9ca2
commit e6e0b6ee46
2 changed files with 52 additions and 17 deletions
--- a/internal/providercache/installer_test.go
+++ b/internal/providercache/installer_test.go
@@ -1085,6 +1085,8 @@ func TestEnsureProviderVersions(t *testing.T) {
 			Reqs: getproviders.Requirements{
 				beepProvider: getproviders.MustParseVersionConstraints(">= 1.0.0"),
 			},
+			WantErr: `some providers could not be installed:
+- example.com/foo/beep: the local package for example.com/foo/beep 1.0.0 doesn't match any of the checksums previously recorded in the dependency lock file (this might be because the available checksums are for packages targeting different platforms)`,
 			WantEvents: func(inst *Installer, dir *Dir) map[addrs.Provider][]*testInstallerEventLogItem {
 				return map[addrs.Provider][]*testInstallerEventLogItem{
 					noProvider: {
@@ -1094,12 +1096,6 @@ func TestEnsureProviderVersions(t *testing.T) {
 								beepProvider: getproviders.MustParseVersionConstraints(">= 1.0.0"),
 							},
 						},
-						{
-							Event: "ProvidersFetched",
-							Args: map[addrs.Provider]*getproviders.PackageAuthenticationResult{
-								beepProvider: nil,
-							},
-						},
 					},
 					beepProvider: {
 						{
@@ -1129,21 +1125,14 @@ func TestEnsureProviderVersions(t *testing.T) {
 							}{"1.0.0", beepProviderDir},
 						},
 						{
-							// FIXME: This ending in success with "unauthenticated"
-							// is technically okay within the interface as stated
-							// but doesn't really match our intent of treating
-							// a mismatch error against the lockfile as
-							// an error. We should make this an error in future.
-							Event:    "FetchPackageSuccess",
+							Event:    "FetchPackageFailure",
 							Provider: beepProvider,
 							Args: struct {
-								Version    string
-								LocalDir   string
-								AuthResult string
+								Version string
+								Error   string
 							}{
 								"1.0.0",
-								filepath.Join(dir.BasePath(), "example.com/foo/beep/1.0.0/bleep_bloop"),
-								"unauthenticated",
+								`the local package for example.com/foo/beep 1.0.0 doesn't match any of the checksums previously recorded in the dependency lock file (this might be because the available checksums are for packages targeting different platforms)`,
 							},
 						},
 					},