node: Get registry integrity matching lockfile

Re-committed by refi64 w/ some minor fixes, notes: Original commit at #287, I made some changes to match npm's behavior a bit more closely. Context: > Hahaha, so after hitting this locally, I've come to believe this > actually changed in the npm registry, and dists that formerly returned > the sha1 they were uploaded with now return a newly computed sha512. I > think the previous behavior I followed was also changed in npm/pacote > at some point too.
flatpak · refi64 · Jun 22, 2022 · Apr 24, 2022 · Apr 24, 2022 · Apr 24, 2022
commit 7fc0cf2ecf7f20974d79d08a3d51fab1954bd826
@@ -84,18 +84,14 @@ async def retrieve_integrity(self) -> Integrity:
             return metadata.integrity
 
 
-class UnresolvedRegistrySource:
-    pass
-
-
 class GitSource(NamedTuple):
     original: str
     url: str
     commit: str
     from_: Optional[str]
 
 
-PackageSource = Union[ResolvedSource, UnresolvedRegistrySource, GitSource]
+PackageSource = Union[ResolvedSource, GitSource]
 
 
 class Package(NamedTuple):

@@ -21,13 +21,7 @@
 
 from ..integrity import Integrity
 from ..manifest import ManifestGenerator
-from ..package import (
-    GitSource,
-    Package,
-    PackageSource,
-    ResolvedSource,
-    UnresolvedRegistrySource,
-)
+from ..package import GitSource, Package, PackageSource, ResolvedSource
 from ..requests import Requests
 from ..url_metadata import RemoteUrlMetadata
 from . import LockfileProvider, ModuleProvider, ProviderFactory, RCFileProvider
@@ -62,9 +56,8 @@ def process_dependencies(
                 git_source = self.parse_git_source(version, info['from'])
                 source = git_source
             else:
-                # NOTE: npm ignores the resolved field and just uses the provided
-                # registry instead. We follow the same behavior here.
-                source = UnresolvedRegistrySource()
+                integrity = Integrity.parse(info['integrity'])
+                source = ResolvedSource(resolved=info['resolved'], integrity=integrity)
 
             yield Package(name=name, version=version, source=source, lockfile=lockfile)
 
@@ -174,6 +167,8 @@ def add_index_entry(self, url: str, metadata: RemoteUrlMetadata) -> None:
         self.index_entries[index_path] = index
 
     async def resolve_source(self, package: Package) -> ResolvedSource:
+        assert isinstance(package.source, ResolvedSource)
+
         # These results are going to be the same each time.
         if package.name not in self.registry_packages:
             cache_future = asyncio.get_event_loop().create_future()
@@ -210,23 +205,37 @@ async def resolve_source(self, package: Package) -> ResolvedSource:
 
         index.used_versions.add(package.version)
 
-        integrity: Integrity
+        registry_integrity: Integrity
         if 'integrity' in dist:
-            integrity = Integrity.parse(dist['integrity'])
+            registry_integrity = Integrity.parse(dist['integrity'])
         elif 'shasum' in dist:
-            integrity = Integrity.from_sha1(dist['shasum'])
+            registry_integrity = Integrity.from_sha1(dist['shasum'])
         else:
             assert False, f'{package.name}@{package.version} has no integrity in dist'
 
+        if package.source.integrity:
+            # Follow npm in only checking for a matching integrity if the algorithms are
+            # the same:
+            # https://github.com/npm/pacote/blob/e48370d441b8d8eef3080e5d47c8ab6a8cc2aca0/lib/registry.js#L143
+            if (
+                package.source.integrity.algorithm == registry_integrity.algorithm
+                and package.source.integrity.digest != registry_integrity.digest
+            ):
+                raise ValueError(
+                    f"{package.name}@{package.version} integrity doesn't match registry integrity"
+                )
+
+            integrity = package.source.integrity
+        else:
+            integrity = registry_integrity
+
         return ResolvedSource(resolved=dist['tarball'], integrity=integrity)
 
     async def generate_package(self, package: Package) -> None:
         self.all_lockfiles.add(package.lockfile)
         source = package.source
 
-        assert not isinstance(source, ResolvedSource)
-
-        if isinstance(source, UnresolvedRegistrySource):
+        if isinstance(source, ResolvedSource):
             source = await self.resolve_source(package)
             assert source.resolved is not None
             assert source.integrity is not None