pip_api: initial support for hashed requirements

README.md

@@ -80,6 +80,7 @@ If the command you are trying to use is not compatible, `pip_api` will raise a
   > * `Requirement.marker` ([`packaging.markers.Marker`](https://packaging.pypa.io/en/latest/markers/#packaging.markers.Marker)): A `Marker` of the marker for the requirement. Can be `None`.
   > Optionally takes an `options` parameter to override the regex used to skip requirements lines.
   > Optionally takes an `include_invalid` parameter to return an `UnparsedRequirement` in the event that a requirement cannot be parsed correctly.
+  > Optionally takes a `strict_hashes` parameter to require that all requirements have associated hashes.
 
 ### Available with `pip>=8.0.0`:
 * `pip_api.hash(filename, algorithm='sha256')`

pip_api/_parse_requirements.py

@@ -7,6 +7,8 @@
 import string
 import sys
 
+from collections import defaultdict
+
 from typing import Any, Dict, Optional, Union, Tuple
 
 from urllib.parse import urljoin, unquote, urlsplit
@@ -24,6 +26,7 @@
 parser.add_argument("-i", "--index-url")
 parser.add_argument("--extra-index-url")
 parser.add_argument("-f", "--find-links")
+parser.add_argument("--hash", action="append", dest="hashes")
 
 operators = specifiers.Specifier._operators.keys()
 
@@ -37,6 +40,8 @@
     re.VERBOSE,
 )
 WINDOWS = sys.platform.startswith("win") or (sys.platform == "cli" and os.name == "nt")
+# https://pip.pypa.io/en/stable/cli/pip_hash/
+VALID_HASHES = {"sha256", "sha384", "sha512"}
 
 
 class Link:
@@ -172,6 +177,13 @@ def _url_to_path(url):
     return path
 
 
+class Requirement(requirements.Requirement):
+    def __init__(self, *args, **kwargs):
+        self.hashes = kwargs.pop("hashes", None)
+
+        super().__init__(*args, **kwargs)
+
+
 class UnparsedRequirement(object):
     def __init__(self, name, msg, filename, lineno):
         self.name = name
@@ -445,11 +457,15 @@ def _parse_requirement_url(req_str):
 
 
 def parse_requirements(
-    filename: os.PathLike, options: Optional[Any] = None, include_invalid: bool = False
-) -> Dict[str, Union[requirements.Requirement, UnparsedRequirement]]:
+    filename: os.PathLike,
+    options: Optional[Any] = None,
+    include_invalid: bool = False,
+    strict_hashes: bool = False,
+) -> Dict[str, Union[Requirement, UnparsedRequirement]]:
     to_parse = {filename}
     parsed = set()
     name_to_req = {}
+    require_hashes = False
 
     while to_parse:
         filename = to_parse.pop()
@@ -463,8 +479,41 @@ def parse_requirements(
         lines_enum = _skip_regex(lines_enum, options)
 
         for lineno, line in lines_enum:
-            req: Optional[Union[requirements.Requirement, UnparsedRequirement]] = None
+            req: Optional[Union[Requirement, UnparsedRequirement]] = None
             known, _ = parser.parse_known_args(line.strip().split())
+
+            # If a requirement is missing hashes but we require them, fail.
+            if strict_hashes and not known.hashes and require_hashes:
+                raise PipError(
+                    "invalid: missing hashes for requirement in %s, line %s"
+                    % (filename, lineno)
+                )
+
+            # Similarly, fail if a requirement has hashes but every requirement
+            # we've parsed previously hasn't had them.
+            if (
+                strict_hashes
+                and known.hashes
+                and not require_hashes
+                and len(name_to_req) > 0
+            ):
+                raise PipError(
+                    "invalid: missing hashes for requirements prior to %s, line %s"
+                    % (filename, lineno)
+                )
+
+            hashes_by_kind = defaultdict(list)
+            if known.hashes:
+                require_hashes = True
+                for hsh in known.hashes:
+                    kind, hsh = hsh.split(":", 1)
+                    if kind not in VALID_HASHES:
+                        raise PipError(
+                            "invalid --hash kind %s, expected one of %s"
+                            % (kind, VALID_HASHES)
+                        )
+                    hashes_by_kind[kind].append(hsh)
+
             if known.req:
                 req_str = str().join(known.req)
                 try:
@@ -477,7 +526,7 @@ def parse_requirements(
 
                 try:  # Try to parse this as a requirement specification
                     if req is None:
-                        req = requirements.Requirement(parsed_req_str)
+                        req = Requirement(parsed_req_str, hashes=dict(hashes_by_kind))
                 except requirements.InvalidRequirement:
                     try:
                         _check_invalid_requirement(req_str)
@@ -493,7 +542,7 @@ def parse_requirements(
                     to_parse.add(full_path)
             elif known.editable:
                 name, url = _parse_editable(known.editable)
-                req = requirements.Requirement("%s @ %s" % (name, url))
+                req = Requirement("%s @ %s" % (name, url))
             else:
                 pass  # This is an invalid requirement
 

tests/test_parse_requirements.py

@@ -14,6 +14,7 @@ def test_parse_requirements(monkeypatch):
 
     assert set(result) == {"foo"}
     assert str(result["foo"]) == "foo==1.2.3"
+    assert result["foo"].hashes == {}
 
 
 def test_parse_requirements_with_comments(monkeypatch):
@@ -253,3 +254,85 @@ def test_parse_requirements_with_missing_egg_suffix(monkeypatch):
         PipError, match=r"Missing egg fragment in URL: " + PEP508_PIP_EXAMPLE_URL
     ):
         pip_api.parse_requirements("a.txt")
+
+
+def test_parse_requirements_hashes(monkeypatch):
+    files = {
+        "a.txt": [
+            "foo==1.2.3 "
+            "--hash=sha256:862db587c4257f71293cf07cafc521961712c088a52981f3d81be056eaabc95e "
+            "--hash=sha256:0cfea7e5a53d5a256b4e8609c8a1812ad9af5c611432ec9dccbb4d79dc6a336e "
+            "--hash=sha384:673546e6c3236a36e5db5f1bc9d2cb5f3f974d3d4e9031f405b1dc7874575e2ad91436d02edf8237a889ab1cecb35d56 "
+            "--hash=sha512:3b149832490a704091abed6a9bd40ef7f4176b279263d4cbbb440b067ced99cadc006c03bc47488755351022fb49f2f10edfec110f027039bda703d407135c47"
+        ]
+    }
+    monkeypatch.setattr(pip_api._parse_requirements, "_read_file", files.get)
+
+    result = pip_api.parse_requirements("a.txt")
+
+    assert set(result) == {"foo"}
+    assert result["foo"].hashes == {
+        "sha256": [
+            "862db587c4257f71293cf07cafc521961712c088a52981f3d81be056eaabc95e",
+            "0cfea7e5a53d5a256b4e8609c8a1812ad9af5c611432ec9dccbb4d79dc6a336e",
+        ],
+        "sha384": [
+            "673546e6c3236a36e5db5f1bc9d2cb5f3f974d3d4e9031f405b1dc7874575e2ad91436d02edf8237a889ab1cecb35d56"
+        ],
+        "sha512": [
+            "3b149832490a704091abed6a9bd40ef7f4176b279263d4cbbb440b067ced99cadc006c03bc47488755351022fb49f2f10edfec110f027039bda703d407135c47"
+        ],
+    }
+
+
+def test_parse_requirements_invalid_hash_kind(monkeypatch):
+    files = {"a.txt": ["foo==1.2.3 --hash=md5:0d5a28f01dccb5a549c31016883f59c2"]}
+    monkeypatch.setattr(pip_api._parse_requirements, "_read_file", files.get)
+
+    with pytest.raises(PipError, match=r"invalid --hash kind"):
+        pip_api.parse_requirements("a.txt")
+
+
+@pytest.mark.parametrize(
+    "strict_hashes",
+    (True, False),
+)
+def test_parse_requirements_missing_hashes(monkeypatch, strict_hashes):
+    files = {
+        "a.txt": [
+            "foo==1.2.3 --hash=sha256:862db587c4257f71293cf07cafc521961712c088a52981f3d81be056eaabc95e\n",
+            "bar==1.2.3\n",
+        ]
+    }
+    monkeypatch.setattr(pip_api._parse_requirements, "_read_file", files.get)
+
+    if strict_hashes:
+        with pytest.raises(
+            PipError, match=r"missing hashes for requirement in a\.txt, line 2"
+        ):
+            pip_api.parse_requirements("a.txt", strict_hashes=strict_hashes)
+    else:
+        pip_api.parse_requirements("a.txt", strict_hashes=strict_hashes)
+
+
+@pytest.mark.parametrize(
+    "strict_hashes",
+    (True, False),
+)
+def test_parse_requirements_missing_hashes_late(monkeypatch, strict_hashes):
+    files = {
+        "a.txt": [
+            "foo==1.2.3\n",
+            "bar==1.2.3\n",
+            "baz==1.2.3 --hash=sha256:862db587c4257f71293cf07cafc521961712c088a52981f3d81be056eaabc95e\n",
+        ]
+    }
+    monkeypatch.setattr(pip_api._parse_requirements, "_read_file", files.get)
+
+    if strict_hashes:
+        with pytest.raises(
+            PipError, match=r"missing hashes for requirements prior to a\.txt, line 3"
+        ):
+            pip_api.parse_requirements("a.txt", strict_hashes=strict_hashes)
+    else:
+        pip_api.parse_requirements("a.txt", strict_hashes=strict_hashes)