From 15b2a84812ee77f41788f97c846d92f868193a6e Mon Sep 17 00:00:00 2001
From: Josh McSavaney <me@mcsau.cc>
Date: Sat, 19 Apr 2025 16:53:52 -0400
Subject: [PATCH] Better document a bad SHA256 invocation

This code uses sha256.New().Sum instead of sha256.Sum256. See
https://go.dev/play/p/vSW0U3Hq4qk for a demonstration of the differences.

SHA256 is used to generate identifiers that map server names to settings. I
think these IDs have been persisted to external sources (setting.go mentions S3
buckets), so moving this to a good invocation is hard and probably not worth
it. Instead, document the exact behavior of what's happening with the bad
invocation, make it more obvious, and enshrine it within a helper function.
---
 provider/aws/registries.go | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/provider/aws/registries.go b/provider/aws/registries.go
index 4eb125b553..df156d5667 100644
--- a/provider/aws/registries.go
+++ b/provider/aws/registries.go
@@ -75,9 +75,9 @@ func (p *Provider) RegistryAdd(server, username, password string) (*structs.Regi
 		return nil, log.Error(err)
 	}
 
-	id := fmt.Sprintf("%x", sha256.New().Sum([]byte(server)))
+	id := legacyServerIdentifier(server)
 
-	if err := p.SettingPut(fmt.Sprintf("system/registries/%s", id), string(data)); err != nil {
+	if err := p.SettingPut("system/registries/"+id, string(data)); err != nil {
 		return nil, log.Error(err)
 	}
 
@@ -93,7 +93,8 @@ func (p *Provider) RegistryAdd(server, username, password string) (*structs.Regi
 func (p *Provider) RegistryRemove(server string) error {
 	log := Logger.At("RegistryRemove").Namespace("server=%q", server).Start()
 
-	key := fmt.Sprintf("system/registries/%x", sha256.New().Sum([]byte(server)))
+	id := legacyServerIdentifier(server)
+	key := "system/registries/" + id
 
 	if _, err := p.SettingExists(key); err != nil {
 		return log.Error(errorNotFound(fmt.Sprintf("registry not found: %s", server)))
@@ -135,3 +136,13 @@ func (p *Provider) RegistryList() (structs.Registries, error) {
 
 	return registries, log.Success()
 }
+
+var hashOfNothing = sha256.New().Sum(nil)
+
+// legacyServerIdentifier generates a hex string from a server.
+// This format is suboptimal, but it must be preserved for compatibility reasons
+// as deviation from this format would orphan registry settings.
+// This function exist to make the behavior more apparent.
+func legacyServerIdentifier(server string) string {
+	return fmt.Sprintf("%x", append([]byte(server), hashOfNothing[:]...))
+}