fix: remove logging of credentials (#1534)

containrrr · Apr 12, 2023 · cfcbcac · cfcbcac
1 parent 4d661bf
commit cfcbcac
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 12 deletions.
diff --git a/pkg/registry/auth/auth.go b/pkg/registry/auth/auth.go
@@ -91,7 +91,8 @@ func GetBearerHeader(challenge string, img string, registryAuth string) (string,
 
 	if registryAuth != "" {
 		logrus.Debug("Credentials found.")
-		logrus.Tracef("Credentials: %v", registryAuth)
+		// CREDENTIAL: Uncomment to log registry credentials
+		// logrus.Tracef("Credentials: %v", registryAuth)
 		r.Header.Add("Authorization", fmt.Sprintf("Basic %s", registryAuth))
 	} else {
 		logrus.Debug("No credentials found.")

diff --git a/pkg/registry/digest/digest.go b/pkg/registry/digest/digest.go
@@ -6,15 +6,16 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
 	"github.com/containrrr/watchtower/internal/meta"
 	"github.com/containrrr/watchtower/pkg/registry/auth"
 	"github.com/containrrr/watchtower/pkg/registry/manifest"
 	"github.com/containrrr/watchtower/pkg/types"
 	"github.com/sirupsen/logrus"
-	"net"
-	"net/http"
-	"strings"
-	"time"
 )
 
 // ContentDigestHeader is the key for the key-value pair containing the digest header
@@ -25,7 +26,7 @@ func CompareDigest(container types.Container, registryAuth string) (bool, error)
 	if !container.HasImageInfo() {
 		return false, errors.New("container image info missing")
 	}
-	
+
 	var digest string
 
 	registryAuth = TransformAuth(registryAuth)
@@ -93,12 +94,13 @@ func GetDigest(url string, token string) (string, error) {
 	req, _ := http.NewRequest("HEAD", url, nil)
 	req.Header.Set("User-Agent", meta.UserAgent)
 
-	if token != "" {
-		logrus.WithField("token", token).Trace("Setting request token")
-	} else {
+	if token == "" {
 		return "", errors.New("could not fetch token")
 	}
 
+	// CREDENTIAL: Uncomment to log the request token
+	// logrus.WithField("token", token).Trace("Setting request token")
+
 	req.Header.Add("Authorization", token)
 	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json")
 	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.list.v2+json")

diff --git a/pkg/registry/registry.go b/pkg/registry/registry.go
@@ -19,7 +19,9 @@ func GetPullOptions(imageName string) (types.ImagePullOptions, error) {
 	if auth == "" {
 		return types.ImagePullOptions{}, nil
 	}
-	log.Tracef("Got auth value: %s", auth)
+
+	// CREDENTIAL: Uncomment to log docker config auth
+	// log.Tracef("Got auth value: %s", auth)
 
 	return types.ImagePullOptions{
 		RegistryAuth:  auth,

diff --git a/pkg/registry/trust.go b/pkg/registry/trust.go
@@ -38,7 +38,8 @@ func EncodedEnvAuth(ref string) (string, error) {
 			Password: password,
 		}
 		log.Debugf("Loaded auth credentials for user %s on registry %s", auth.Username, ref)
-		log.Tracef("Using auth password %s", auth.Password)
+		// CREDENTIAL: Uncomment to log REPO_PASS environment variable
+		// log.Tracef("Using auth password %s", auth.Password)
 		return EncodeAuth(auth)
 	}
 	return "", errors.New("registry auth environment variables (REPO_USER, REPO_PASS) not set")
@@ -71,7 +72,8 @@ func EncodedConfigAuth(ref string) (string, error) {
 		return "", nil
 	}
 	log.Debugf("Loaded auth credentials for user %s, on registry %s, from file %s", auth.Username, ref, configFile.Filename)
-	log.Tracef("Using auth password %s", auth.Password)
+	// CREDENTIAL: Uncomment to log docker config password
+	// log.Tracef("Using auth password %s", auth.Password)
 	return EncodeAuth(auth)
 }