feat: redact credentials in remote urls

Author: pd93

task_test.go

@@ -702,6 +702,7 @@ func TestIncludesRemote(t *testing.T) {
 	enableExperimentForTest(t, &experiments.RemoteTaskfiles, 1)
 
 	dir := "testdata/includes_remote"
+	os.RemoveAll(filepath.Join(dir, ".task", "remote"))
 
 	srv := httptest.NewServer(http.FileServer(http.Dir(dir)))
 	defer srv.Close()
@@ -777,8 +778,8 @@ func TestIncludesRemote(t *testing.T) {
 				},
 			}
 
-			for j, e := range executors {
-				t.Run(fmt.Sprint(j), func(t *testing.T) {
+			for _, e := range executors {
+				t.Run(e.name, func(t *testing.T) {
 					require.NoError(t, e.executor.Setup())
 
 					for k, taskCall := range taskCalls {

taskfile/node_git.go

@@ -40,13 +40,10 @@ func NewGitNode(
 		return nil, err
 	}
 
-	basePath, path := func() (string, string) {
-		x := strings.Split(u.Path, "//")
-		return x[0], x[1]
-	}()
+	basePath, path := splitPath(u)
 	ref := u.Query().Get("ref")
 
-	rawUrl := u.String()
+	rawUrl := u.Redacted()
 
 	u.RawQuery = ""
 	u.Path = basePath
@@ -127,11 +124,23 @@ func (node *GitNode) ResolveDir(dir string) (string, error) {
 
 func (node *GitNode) CacheKey() string {
 	checksum := strings.TrimRight(checksum([]byte(node.Location())), "=")
-	prefix := filepath.Base(filepath.Dir(node.path))
-	lastDir := filepath.Base(node.path)
+	lastDir := filepath.Base(filepath.Dir(node.path))
+	prefix := filepath.Base(node.path)
 	// Means it's not "", nor "." nor "/", so it's a valid directory
 	if len(lastDir) > 1 {
-		prefix = fmt.Sprintf("%s-%s", lastDir, prefix)
+		prefix = fmt.Sprintf("%s.%s", lastDir, prefix)
+	}
+	return fmt.Sprintf("git.%s.%s.%s", node.URL.Host, prefix, checksum)
+}
+
+func splitPath(u *url.URL) (string, string) {
+	x := strings.Split(u.Path, "//")
+	switch len(x) {
+	case 0:
+		return "", ""
+	case 1:
+		return x[0], ""
+	default:
+		return x[0], x[1]
 	}
-	return fmt.Sprintf("%s.%s", prefix, checksum)
 }

taskfile/node_git_test.go

@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestGitNode_ssh(t *testing.T) {
@@ -13,7 +14,7 @@ func TestGitNode_ssh(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "main", node.ref)
 	assert.Equal(t, "Taskfile.yml", node.path)
-	assert.Equal(t, "ssh://[email protected]/foo/bar.git//Taskfile.yml?ref=main", node.rawUrl)
+	assert.Equal(t, "ssh://[email protected]/foo/bar.git//Taskfile.yml?ref=main", node.Location())
 	assert.Equal(t, "ssh://[email protected]/foo/bar.git", node.URL.String())
 	entrypoint, err := node.ResolveEntrypoint("common.yml")
 	assert.NoError(t, err)
@@ -27,7 +28,7 @@ func TestGitNode_sshWithDir(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "main", node.ref)
 	assert.Equal(t, "directory/Taskfile.yml", node.path)
-	assert.Equal(t, "ssh://[email protected]/foo/bar.git//directory/Taskfile.yml?ref=main", node.rawUrl)
+	assert.Equal(t, "ssh://[email protected]/foo/bar.git//directory/Taskfile.yml?ref=main", node.Location())
 	assert.Equal(t, "ssh://[email protected]/foo/bar.git", node.URL.String())
 	entrypoint, err := node.ResolveEntrypoint("common.yml")
 	assert.NoError(t, err)
@@ -41,7 +42,7 @@ func TestGitNode_https(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "main", node.ref)
 	assert.Equal(t, "Taskfile.yml", node.path)
-	assert.Equal(t, "https://github.com/foo/bar.git//Taskfile.yml?ref=main", node.rawUrl)
+	assert.Equal(t, "https://github.com/foo/bar.git//Taskfile.yml?ref=main", node.Location())
 	assert.Equal(t, "https://github.com/foo/bar.git", node.URL.String())
 	entrypoint, err := node.ResolveEntrypoint("common.yml")
 	assert.NoError(t, err)
@@ -55,7 +56,7 @@ func TestGitNode_httpsWithDir(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "main", node.ref)
 	assert.Equal(t, "directory/Taskfile.yml", node.path)
-	assert.Equal(t, "https://github.com/foo/bar.git//directory/Taskfile.yml?ref=main", node.rawUrl)
+	assert.Equal(t, "https://github.com/foo/bar.git//directory/Taskfile.yml?ref=main", node.Location())
 	assert.Equal(t, "https://github.com/foo/bar.git", node.URL.String())
 	entrypoint, err := node.ResolveEntrypoint("common.yml")
 	assert.NoError(t, err)
@@ -65,18 +66,28 @@ func TestGitNode_httpsWithDir(t *testing.T) {
 func TestGitNode_CacheKey(t *testing.T) {
 	t.Parallel()
 
-	node, err := NewGitNode("https://github.com/foo/bar.git//directory/Taskfile.yml?ref=main", "", false)
-	assert.NoError(t, err)
-	key := node.CacheKey()
-	assert.Equal(t, "Taskfile.yml-directory.f1ddddac425a538870230a3e38fc0cded4ec5da250797b6cab62c82477718fbb", key)
+	tests := []struct {
+		entrypoint  string
+		expectedKey string
+	}{
+		{
+			entrypoint:  "https://github.com/foo/bar.git//directory/Taskfile.yml?ref=main",
+			expectedKey: "git.github.com.directory.Taskfile.yml.f1ddddac425a538870230a3e38fc0cded4ec5da250797b6cab62c82477718fbb",
+		},
+		{
+			entrypoint:  "https://github.com/foo/bar.git//Taskfile.yml?ref=main",
+			expectedKey: "git.github.com.Taskfile.yml.39d28c1ff36f973705ae188b991258bbabaffd6d60bcdde9693d157d00d5e3a4",
+		},
+		{
+			entrypoint:  "https://github.com/foo/bar.git//multiple/directory/Taskfile.yml?ref=main",
+			expectedKey: "git.github.com.directory.Taskfile.yml.1b6d145e01406dcc6c0aa572e5a5d1333be1ccf2cae96d18296d725d86197d31",
+		},
+	}
 
-	node, err = NewGitNode("https://github.com/foo/bar.git//Taskfile.yml?ref=main", "", false)
-	assert.NoError(t, err)
-	key = node.CacheKey()
-	assert.Equal(t, "Taskfile.yml-..39d28c1ff36f973705ae188b991258bbabaffd6d60bcdde9693d157d00d5e3a4", key)
-
-	node, err = NewGitNode("https://github.com/foo/bar.git//multiple/directory/Taskfile.yml?ref=main", "", false)
-	assert.NoError(t, err)
-	key = node.CacheKey()
-	assert.Equal(t, "Taskfile.yml-directory.1b6d145e01406dcc6c0aa572e5a5d1333be1ccf2cae96d18296d725d86197d31", key)
+	for _, tt := range tests {
+		node, err := NewGitNode(tt.entrypoint, "", false)
+		require.NoError(t, err)
+		key := node.CacheKey()
+		assert.Equal(t, tt.expectedKey, key)
+	}
 }

taskfile/node_http.go

@@ -17,8 +17,7 @@ import (
 // An HTTPNode is a node that reads a Taskfile from a remote location via HTTP.
 type HTTPNode struct {
 	*BaseNode
-	URL        *url.URL // stores url pointing actual remote file. (e.g. with Taskfile.yml)
-	entrypoint string   // stores entrypoint url. used for building graph vertices.
+	URL *url.URL // stores url pointing actual remote file. (e.g. with Taskfile.yml)
 }
 
 func NewHTTPNode(
@@ -33,18 +32,16 @@ func NewHTTPNode(
 		return nil, err
 	}
 	if url.Scheme == "http" && !insecure {
-		return nil, &errors.TaskfileNotSecureError{URI: entrypoint}
+		return nil, &errors.TaskfileNotSecureError{URI: url.Redacted()}
 	}
-
 	return &HTTPNode{
-		BaseNode:   base,
-		URL:        url,
-		entrypoint: entrypoint,
+		BaseNode: base,
+		URL:      url,
 	}, nil
 }
 
 func (node *HTTPNode) Location() string {
-	return node.entrypoint
+	return node.URL.Redacted()
 }
 
 func (node *HTTPNode) Read() ([]byte, error) {
@@ -56,23 +53,22 @@ func (node *HTTPNode) ReadContext(ctx context.Context) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	node.URL = url
-	req, err := http.NewRequest("GET", node.URL.String(), nil)
+	req, err := http.NewRequest("GET", url.String(), nil)
 	if err != nil {
-		return nil, errors.TaskfileFetchFailedError{URI: node.URL.String()}
+		return nil, errors.TaskfileFetchFailedError{URI: node.Location()}
 	}
 
 	resp, err := http.DefaultClient.Do(req.WithContext(ctx))
 	if err != nil {
 		if ctx.Err() != nil {
 			return nil, err
 		}
-		return nil, errors.TaskfileFetchFailedError{URI: node.URL.String()}
+		return nil, errors.TaskfileFetchFailedError{URI: node.Location()}
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
 		return nil, errors.TaskfileFetchFailedError{
-			URI:            node.URL.String(),
+			URI:            node.Location(),
 			HTTPStatusCode: resp.StatusCode,
 		}
 	}
@@ -116,12 +112,12 @@ func (node *HTTPNode) ResolveDir(dir string) (string, error) {
 
 func (node *HTTPNode) CacheKey() string {
 	checksum := strings.TrimRight(checksum([]byte(node.Location())), "=")
-	dir, filename := filepath.Split(node.entrypoint)
+	dir, filename := filepath.Split(node.URL.Path)
 	lastDir := filepath.Base(dir)
 	prefix := filename
 	// Means it's not "", nor "." nor "/", so it's a valid directory
 	if len(lastDir) > 1 {
-		prefix = fmt.Sprintf("%s-%s", lastDir, filename)
+		prefix = fmt.Sprintf("%s.%s", lastDir, filename)
 	}
-	return fmt.Sprintf("%s.%s", prefix, checksum)
+	return fmt.Sprintf("http.%s.%s.%s", node.URL.Host, prefix, checksum)
 }

taskfile/node_http_test.go

@@ -0,0 +1,49 @@
+package taskfile
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestHTTPNode_CacheKey(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		entrypoint  string
+		expectedKey string
+	}{
+		{
+			entrypoint:  "https://github.com",
+			expectedKey: "http.github.com..996e1f714b08e971ec79e3bea686287e66441f043177999a13dbc546d8fe402a",
+		},
+		{
+			entrypoint:  "https://github.com/Taskfile.yml",
+			expectedKey: "http.github.com.Taskfile.yml.85b3c3ad71b78dc74e404c7b4390fc13672925cb644a4d26c21b9f97c17b5fc0",
+		},
+		{
+			entrypoint:  "https://github.com/foo",
+			expectedKey: "http.github.com.foo.df3158dafc823e6847d9bcaf79328446c4877405e79b100723fa6fd545ed3e2b",
+		},
+		{
+			entrypoint:  "https://github.com/foo/Taskfile.yml",
+			expectedKey: "http.github.com.foo.Taskfile.yml.aea946ea7eb6f6bb4e159e8b840b6b50975927778b2e666df988c03bbf10c4c4",
+		},
+		{
+			entrypoint:  "https://github.com/foo/bar",
+			expectedKey: "http.github.com.foo.bar.d3514ad1d4daedf9cc2825225070b49ebc8db47fa5177951b2a5b9994597570c",
+		},
+		{
+			entrypoint:  "https://github.com/foo/bar/Taskfile.yml",
+			expectedKey: "http.github.com.bar.Taskfile.yml.b9cf01e01e47c0e96ea536e1a8bd7b3a6f6c1f1881bad438990d2bfd4ccd0ac0",
+		},
+	}
+
+	for _, tt := range tests {
+		node, err := NewHTTPNode(tt.entrypoint, "", false)
+		require.NoError(t, err)
+		key := node.CacheKey()
+		assert.Equal(t, tt.expectedKey, key)
+	}
+}