hg: fix cacheID construction

The repo URL must be in the cache id. The ref is purposely not included in it because we want to reuse the cached repository when the ref moves. And finally, we use a sha256 hash to mask any authentication data because we don't want them to be readable in the cache folder name.
carvel-dev · Apr 9, 2024 · de8fdf7 · de8fdf7
1 parent e0c3e90
commit de8fdf7
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/pkg/vendir/fetch/hg/hg.go b/pkg/vendir/fetch/hg/hg.go
@@ -5,6 +5,8 @@ package hg
 
 import (
 	"bytes"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"io"
 	"net/url"
@@ -126,6 +128,8 @@ func (t *Hg) setup(tempArea ctlfetch.TempArea) error {
 		return fmt.Errorf("Expected non-empty URL")
 	}
 
+	cacheID := t.opts.URL
+
 	authOpts, err := t.getAuthOpts()
 	if err != nil {
 		return err
@@ -178,7 +182,7 @@ hgauth.password = %s
 			}
 
 			sshCmd = append(sshCmd, "-i", path, "-o", "IdentitiesOnly=yes")
-			t.cacheID += "private-key=" + *authOpts.PrivateKey + "|"
+			cacheID += "private-key=" + *authOpts.PrivateKey + "|"
 		}
 
 		if authOpts.KnownHosts != nil {
@@ -190,7 +194,7 @@ hgauth.password = %s
 			}
 
 			sshCmd = append(sshCmd, "-o", "StrictHostKeyChecking=yes", "-o", "UserKnownHostsFile="+path)
-			t.cacheID += "known-hosts=" + *authOpts.KnownHosts + "|"
+			cacheID += "known-hosts=" + *authOpts.KnownHosts + "|"
 		} else {
 			sshCmd = append(sshCmd, "-o", "StrictHostKeyChecking=no")
 		}
@@ -205,9 +209,12 @@ hgauth.password = %s
 			return fmt.Errorf("Writing %s: %s", hgRcPath, err)
 		}
 		t.env = append(t.env, "HGRCPATH="+hgRcPath)
-		t.cacheID += hgRc
+		cacheID += hgRc
 	}
 
+	sha := sha256.Sum256([]byte(cacheID))
+	t.cacheID = hex.EncodeToString(sha[:])
+
 	return nil
 }