From 72806dd4ef8952a27310c9bc0bc0c8bd93b816d1 Mon Sep 17 00:00:00 2001
From: Borjan Tchakaloff <bibz@users.noreply.github.com>
Date: Fri, 11 Oct 2019 12:06:08 +0200
Subject: [PATCH] Resolve git refs to git revisions [#1331] (#1337)

* Check that a git dependency resolves to a revision

A git dependency should be resolved to a full git revision (SHA-1).
When dealing with a git dependency, this is the only way to lock
the dependency in-place (because revisions are immutable).

* Check that a pinned git dependency resolves to a revision

There are three mutually exclusive parameters that can be used to
pin a git dependency: `branch`, `tag`, and `rev`.  Since they all
can be moving targets, they should be resolved to a full git
revision (SHA-1) to ensure a proper in-place lock.

This change highlights bug #1331 and currently fails.

* Make sure a git reference resolves to a revision

Do not lock a git dependency to a named reference but to a full
git revision instead.  This ensures reproducibility and security
as git revisions are immutable.

Fixes: #1331
---
 poetry/puzzle/provider.py   |  3 ---
 tests/puzzle/test_solver.py | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/poetry/puzzle/provider.py b/poetry/puzzle/provider.py
index 5714d9c804b..b9e3dff7d34 100644
--- a/poetry/puzzle/provider.py
+++ b/poetry/puzzle/provider.py
@@ -172,9 +172,6 @@ def search_for_vcs(self, dependency):  # type: (VCSDependency) -> List[Package]
             name=dependency.name,
         )
 
-        if dependency.tag or dependency.rev:
-            package.source_reference = dependency.reference
-
         for extra in dependency.extras:
             if extra in package.extras:
                 for dep in package.extras[extra]:
diff --git a/tests/puzzle/test_solver.py b/tests/puzzle/test_solver.py
index cd765c54fb4..0d285ab97b5 100644
--- a/tests/puzzle/test_solver.py
+++ b/tests/puzzle/test_solver.py
@@ -928,6 +928,11 @@ def test_solver_can_resolve_git_dependencies(solver, repo, package):
         ],
     )
 
+    op = ops[1]
+
+    assert op.package.source_type == "git"
+    assert op.package.source_reference.startswith("9cf87a2")
+
 
 def test_solver_can_resolve_git_dependencies_with_extras(solver, repo, package):
     pendulum = get_package("pendulum", "2.0.3")
@@ -951,6 +956,37 @@ def test_solver_can_resolve_git_dependencies_with_extras(solver, repo, package):
     )
 
 
+@pytest.mark.parametrize(
+    "ref",
+    [{"branch": "a-branch"}, {"tag": "a-tag"}, {"rev": "9cf8"}],
+    ids=["branch", "tag", "rev"],
+)
+def test_solver_can_resolve_git_dependencies_with_ref(solver, repo, package, ref):
+    pendulum = get_package("pendulum", "2.0.3")
+    cleo = get_package("cleo", "1.0.0")
+    repo.add_package(pendulum)
+    repo.add_package(cleo)
+
+    git_config = {"git": "https://github.com/demo/demo.git"}
+    git_config.update(ref)
+    package.add_dependency("demo", git_config)
+
+    ops = solver.solve()
+
+    check_solver_result(
+        ops,
+        [
+            {"job": "install", "package": pendulum},
+            {"job": "install", "package": get_package("demo", "0.1.2")},
+        ],
+    )
+
+    op = ops[1]
+
+    assert op.package.source_type == "git"
+    assert op.package.source_reference.startswith("9cf87a2")
+
+
 def test_solver_does_not_trigger_conflict_for_python_constraint_if_python_requirement_is_compatible(
     solver, repo, package
 ):