Refactor link hash checking

Author: sbidoul

src/pip/_internal/cli/req_command.py

@@ -416,6 +416,7 @@ def get_requirements(
                 use_pep517=options.use_pep517,
                 user_supplied=True,
                 config_settings=getattr(options, "config_settings", None),
+                verify_link_hash=True,
             )
             requirements.append(req_to_add)
 

src/pip/_internal/index/package_finder.py

@@ -904,7 +904,7 @@ def find_requirement(
         Returns a InstallationCandidate if found,
         Raises DistributionNotFound or BestVersionAlreadyInstalled otherwise
         """
-        hashes = req.hashes(trust_internet=False)
+        hashes = req.hashes()
         best_candidate_result = self.find_best_candidate(
             req.name,
             specifier=req.specifier,

src/pip/_internal/operations/prepare.py

@@ -332,7 +332,7 @@ def _get_linked_req_hashes(self, req: InstallRequirement) -> Hashes:
         # (For example, we can raise VcsHashUnsupported for a VCS URL
         # rather than HashMissing.)
         if not self.require_hashes:
-            return req.hashes(trust_internet=True)
+            return req.hashes()
 
         # We could check these first 2 conditions inside unpack_url
         # and save repetition of conditions, but then we would
@@ -355,7 +355,7 @@ def _get_linked_req_hashes(self, req: InstallRequirement) -> Hashes:
         # shim it with a facade object that will provoke hash
         # computation and then raise a HashMissing exception
         # showing the user what the hash should be.
-        return req.hashes(trust_internet=False) or MissingHashes()
+        return req.hashes() or MissingHashes()
 
     def _fetch_metadata_only(
         self,

src/pip/_internal/req/constructors.py

@@ -8,6 +8,7 @@
 InstallRequirement.
 """
 
+import copy
 import logging
 import os
 import re
@@ -385,15 +386,25 @@ def install_req_from_line(
     line_source: Optional[str] = None,
     user_supplied: bool = False,
     config_settings: Optional[Dict[str, Union[str, List[str]]]] = None,
+    verify_link_hash: bool = False,
 ) -> InstallRequirement:
     """Creates an InstallRequirement from a name, which might be a
     requirement, directory containing 'setup.py', filename, or URL.
 
     :param line_source: An optional string describing where the line is from,
         for logging purposes in case of an error.
+    :param verify_link_hash: If True, consider the downloaded resource has to be
+        hash checked against the hash that was provided in the URL, in addition to
+        the hashes provided via hash_options.
     """
     parts = parse_req_from_line(name, line_source)
 
+    #
+    if parts.link and parts.link.hash and verify_link_hash:
+        assert parts.link.hash_name
+        hash_options = copy.deepcopy(hash_options) or {}
+        hash_options.setdefault(parts.link.hash_name, []).append(parts.link.hash)
+
     return InstallRequirement(
         parts.requirement,
         comes_from,
@@ -483,6 +494,7 @@ def install_req_from_parsed_requirement(
             constraint=parsed_req.constraint,
             line_source=parsed_req.line_source,
             user_supplied=user_supplied,
+            verify_link_hash=True,
         )
     return req
 

src/pip/_internal/req/req_install.py

@@ -271,26 +271,9 @@ def has_hash_options(self) -> bool:
         """
         return bool(self.hash_options)
 
-    def hashes(self, trust_internet: bool = True) -> Hashes:
-        """Return a hash-comparer that considers my option- and URL-based
-        hashes to be known-good.
-
-        Hashes in URLs--ones embedded in the requirements file, not ones
-        downloaded from an index server--are almost peers with ones from
-        flags. They satisfy --require-hashes (whether it was implicitly or
-        explicitly activated) but do not activate it. md5 and sha224 are not
-        allowed in flags, which should nudge people toward good algos. We
-        always OR all hashes together, even ones from URLs.
-
-        :param trust_internet: Whether to trust URL-based (#md5=...) hashes
-            downloaded from the internet, as by populate_link()
-
-        """
-        good_hashes = self.hash_options.copy()
-        link = self.link if trust_internet else self.original_link
-        if link and link.hash:
-            good_hashes.setdefault(link.hash_name, []).append(link.hash)
-        return Hashes(good_hashes)
+    def hashes(self) -> Hashes:
+        """Return a hash-comparer that considers my option-hashes to be known-good."""
+        return Hashes(self.hash_options)
 
     def from_path(self) -> Optional[str]:
         """Format a nice indicator to show where this "comes from" """

src/pip/_internal/resolution/resolvelib/base.py

@@ -34,7 +34,7 @@ def empty(cls) -> "Constraint":
     @classmethod
     def from_ireq(cls, ireq: InstallRequirement) -> "Constraint":
         links = frozenset([ireq.link]) if ireq.link else frozenset()
-        return Constraint(ireq.specifier, ireq.hashes(trust_internet=False), links)
+        return Constraint(ireq.specifier, ireq.hashes(), links)
 
     def __bool__(self) -> bool:
         return bool(self.specifier) or bool(self.hashes) or bool(self.links)
@@ -43,7 +43,7 @@ def __and__(self, other: InstallRequirement) -> "Constraint":
         if not isinstance(other, InstallRequirement):
             return NotImplemented
         specifier = self.specifier & other.specifier
-        hashes = self.hashes & other.hashes(trust_internet=False)
+        hashes = self.hashes & other.hashes()
         links = self.links
         if other.link:
             links = links.union([other.link])

src/pip/_internal/resolution/resolvelib/factory.py

@@ -248,7 +248,7 @@ def _iter_found_candidates(
         for ireq in ireqs:
             assert ireq.req, "Candidates found on index must be PEP 508"
             specifier &= ireq.req.specifier
-            hashes &= ireq.hashes(trust_internet=False)
+            hashes &= ireq.hashes()
             extras |= frozenset(ireq.extras)
 
         def _get_installed_candidate() -> Optional[Candidate]: