From 7d0a98af4653d8b876d16ded3bf192585150f547 Mon Sep 17 00:00:00 2001
From: Martin Atkins <mart@degeneration.co.uk>
Date: Wed, 24 May 2017 15:15:24 -0700
Subject: [PATCH] command: provider resolver to also check SHA256 constraints
 when set

In addition to looking for matching versions, the caller can also
optionally require a specific executable by its SHA256 digest.
---
 command/plugins.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/command/plugins.go b/command/plugins.go
index dfd168dbd..020e83946 100644
--- a/command/plugins.go
+++ b/command/plugins.go
@@ -33,6 +33,22 @@ func (r *multiVersionProviderResolver) ResolveProviders(
 	for name := range reqd {
 		if metas := candidates[name]; metas != nil {
 			newest := metas.Newest()
+
+			digest, err := newest.SHA256()
+			if err != nil {
+				errs = append(errs, fmt.Errorf("provider.%s: failed to load plugin to verify its signature: %s", name, err))
+				continue
+			}
+			if !reqd[name].AcceptsSHA256(digest) {
+				// This generic error message is intended to avoid troubling
+				// users with implementation details. The main useful point
+				// here is that they need to run "terraform init" to
+				// fix this, which is covered by the UI code reporting these
+				// error messages.
+				errs = append(errs, fmt.Errorf("provider.%s: not yet initialized", name))
+				continue
+			}
+
 			client := tfplugin.Client(newest)
 			factories[name] = providerFactory(client)
 		} else {