command: provider resolver to also check SHA256 constraints when set

In addition to looking for matching versions, the caller can also optionally require a specific executable by its SHA256 digest.
2017-05-24 15:15:24 -07:00 · 2017-05-24 15:15:24 -07:00 · 7d0a98af46
parent e3401947a6
commit 7d0a98af46
1 changed files with 16 additions and 0 deletions
--- a/command/plugins.go
+++ b/command/plugins.go
@ -33,6 +33,22 @@ func (r *multiVersionProviderResolver) ResolveProviders(
 	for name := range reqd {
 		if metas := candidates[name]; metas != nil {
 			newest := metas.Newest()
+
+			digest, err := newest.SHA256()
+			if err != nil {
+				errs = append(errs, fmt.Errorf("provider.%s: failed to load plugin to verify its signature: %s", name, err))
+				continue
+			}
+			if !reqd[name].AcceptsSHA256(digest) {
+				// This generic error message is intended to avoid troubling
+				// users with implementation details. The main useful point
+				// here is that they need to run "terraform init" to
+				// fix this, which is covered by the UI code reporting these
+				// error messages.
+				errs = append(errs, fmt.Errorf("provider.%s: not yet initialized", name))
+				continue
+			}
+
 			client := tfplugin.Client(newest)
 			factories[name] = providerFactory(client)
 		} else {