pylock: validate attestation-identities kind field

sbidoul · sbidoul · commit 96ce64a0e8ec · 2025-10-17T11:24:09.000+02:00
diff --git a/src/packaging/pylock.py b/src/packaging/pylock.py
@@ -541,6 +541,13 @@ def _from_dict(cls, d: Mapping[str, Any]) -> Self:
                 "Exactly one of vcs, directory, archive must be set "
                 "if sdist and wheels are not set"
             )
+        for i, attestation_identity in enumerate(package.attestation_identities or []):
+            try:
+                _get_required(attestation_identity, str, "kind")
+            except Exception as e:
+                raise PylockValidationError(
+                    e, context=f"attestation-identities[{i}]"
+                ) from e
         return package
 
     @property
diff --git a/tests/test_pylock.py b/tests/test_pylock.py
@@ -521,3 +521,58 @@ def test_validate_sequence_of_str() -> None:
     assert str(exc_info.value) == (
         "Unexpected type str (expected Sequence) in 'dependency-groups'"
     )
+
+
+def test_validate_attestation_identity_missing_kind() -> None:
+    data = {
+        "lock-version": "1.0",
+        "created-by": "pip",
+        "packages": [
+            {
+                "name": "example",
+                "version": "1.0",
+                "directory": {
+                    "path": ".",
+                },
+                "attestation-identities": [
+                    {
+                        # missing "kind" field
+                        "value": "some-value",
+                    }
+                ],
+            }
+        ],
+    }
+    with pytest.raises(PylockValidationError) as exc_info:
+        Pylock.from_dict(data)
+    assert str(exc_info.value) == (
+        "Missing required value in 'packages[0].attestation-identities[0].kind'"
+    )
+
+
+def test_validate_attestation_identity_invalid_kind() -> None:
+    data = {
+        "lock-version": "1.0",
+        "created-by": "pip",
+        "packages": [
+            {
+                "name": "example",
+                "version": "1.0",
+                "directory": {
+                    "path": ".",
+                },
+                "attestation-identities": [
+                    {
+                        "kind": 123,
+                        "value": "some-value",
+                    }
+                ],
+            }
+        ],
+    }
+    with pytest.raises(PylockValidationError) as exc_info:
+        Pylock.from_dict(data)
+    assert str(exc_info.value) == (
+        "Unexpected type int (expected str) "
+        "in 'packages[0].attestation-identities[0].kind'"
+    )
