Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve error handling on FIPS systems #9152

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion src/poetry/repositories/http_repository.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import hashlib

from contextlib import contextmanager
from contextlib import suppress
from pathlib import Path
from typing import TYPE_CHECKING
from typing import Any
Expand Down Expand Up @@ -374,7 +375,11 @@ def calculate_sha256(self, link: Link) -> str | None:
hash_name = get_highest_priority_hash_type(
set(link.hashes.keys()), link.filename
)
known_hash = getattr(hashlib, hash_name)() if hash_name else None
known_hash = None
with suppress(ValueError, AttributeError):
# Handle ValueError here as well since under FIPS environments
# this is what is raised (e.g., for MD5)
known_hash = getattr(hashlib, hash_name)() if hash_name else None
required_hash = hashlib.sha256()

chunksize = 4096
Expand Down
68 changes: 68 additions & 0 deletions tests/repositories/test_http_repository.py
Original file line number Diff line number Diff line change
Expand Up @@ -153,3 +153,71 @@ def test_get_info_from_wheel_state_sequence(mocker: MockerFixture) -> None:
repo._get_info_from_wheel(link)
assert mock_metadata_from_wheel_url.call_count == 5
assert mock_download.call_count == 4


@pytest.mark.parametrize(
"mock_hashes",
[
None,
{"sha256": "e216b70f013c47b82a72540d34347632c5bfe59fd54f5fe5d51f6a68b19aaf84"},
radoering marked this conversation as resolved.
Show resolved Hide resolved
{"md5": "be7589b4902793e66d7d979bd8581591"},
],
)
def test_calculate_sha256(
mocker: MockerFixture, mock_hashes: dict[str, Any] | None
) -> None:
filename = "poetry_core-1.5.0-py3-none-any.whl"
filepath = MockRepository.DIST_FIXTURES / filename
mock_download = mocker.patch(
"poetry.repositories.http_repository.download_file",
side_effect=lambda _, dest, *args, **kwargs: shutil.copy(filepath, dest),
)
domain = "foo.com"
link = Link(f"https://{domain}/{filename}", hashes=mock_hashes)
repo = MockRepository()

calculated_hash = repo.calculate_sha256(link)
radoering marked this conversation as resolved.
Show resolved Hide resolved

assert mock_download.call_count == 1
assert (
calculated_hash
== "sha256:e216b70f013c47b82a72540d34347632c5bfe59fd54f5fe5d51f6a68b19aaf84"
)


def test_calculate_sha256_defaults_to_sha256_on_md5_errors(
mocker: MockerFixture,
) -> None:
raised_value_error = False

def mock_hashlib_md5_error() -> None:
nonlocal raised_value_error
raised_value_error = True
raise ValueError(
"[digital envelope routines: EVP_DigestInit_ex] disabled for FIPS"
)

filename = "poetry_core-1.5.0-py3-none-any.whl"
filepath = MockRepository.DIST_FIXTURES / filename
mock_download = mocker.patch(
"poetry.repositories.http_repository.download_file",
side_effect=lambda _, dest, *args, **kwargs: shutil.copy(filepath, dest),
)
mock_hashlib_md5 = mocker.patch("hashlib.md5", side_effect=mock_hashlib_md5_error)

domain = "foo.com"
link = Link(
f"https://{domain}/{filename}",
hashes={"md5": "be7589b4902793e66d7d979bd8581591"},
)
repo = MockRepository()

calculated_hash = repo.calculate_sha256(link)

assert raised_value_error
assert mock_download.call_count == 1
assert mock_hashlib_md5.call_count == 1
assert (
calculated_hash
== "sha256:e216b70f013c47b82a72540d34347632c5bfe59fd54f5fe5d51f6a68b19aaf84"
)
Loading