From cfcbcac8b0782bfb4f51bfff0866169b9a40c867 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?nils=20m=C3=A5s=C3=A9n?= Date: Wed, 12 Apr 2023 08:22:52 +0200 Subject: [PATCH] fix: remove logging of credentials (#1534) --- pkg/registry/auth/auth.go | 3 ++- pkg/registry/digest/digest.go | 18 ++++++++++-------- pkg/registry/registry.go | 4 +++- pkg/registry/trust.go | 6 ++++-- 4 files changed, 19 insertions(+), 12 deletions(-) diff --git a/pkg/registry/auth/auth.go b/pkg/registry/auth/auth.go index 5056cb3f6..b21e75980 100644 --- a/pkg/registry/auth/auth.go +++ b/pkg/registry/auth/auth.go @@ -91,7 +91,8 @@ func GetBearerHeader(challenge string, img string, registryAuth string) (string, if registryAuth != "" { logrus.Debug("Credentials found.") - logrus.Tracef("Credentials: %v", registryAuth) + // CREDENTIAL: Uncomment to log registry credentials + // logrus.Tracef("Credentials: %v", registryAuth) r.Header.Add("Authorization", fmt.Sprintf("Basic %s", registryAuth)) } else { logrus.Debug("No credentials found.") diff --git a/pkg/registry/digest/digest.go b/pkg/registry/digest/digest.go index 3bdf2410d..e569599e2 100644 --- a/pkg/registry/digest/digest.go +++ b/pkg/registry/digest/digest.go @@ -6,15 +6,16 @@ import ( "encoding/json" "errors" "fmt" + "net" + "net/http" + "strings" + "time" + "github.com/containrrr/watchtower/internal/meta" "github.com/containrrr/watchtower/pkg/registry/auth" "github.com/containrrr/watchtower/pkg/registry/manifest" "github.com/containrrr/watchtower/pkg/types" "github.com/sirupsen/logrus" - "net" - "net/http" - "strings" - "time" ) // ContentDigestHeader is the key for the key-value pair containing the digest header @@ -25,7 +26,7 @@ func CompareDigest(container types.Container, registryAuth string) (bool, error) if !container.HasImageInfo() { return false, errors.New("container image info missing") } - + var digest string registryAuth = TransformAuth(registryAuth) @@ -93,12 +94,13 @@ func GetDigest(url string, token string) (string, error) { req, _ := http.NewRequest("HEAD", url, nil) req.Header.Set("User-Agent", meta.UserAgent) - if token != "" { - logrus.WithField("token", token).Trace("Setting request token") - } else { + if token == "" { return "", errors.New("could not fetch token") } + // CREDENTIAL: Uncomment to log the request token + // logrus.WithField("token", token).Trace("Setting request token") + req.Header.Add("Authorization", token) req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json") req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.list.v2+json") diff --git a/pkg/registry/registry.go b/pkg/registry/registry.go index 9edd66f89..0347673c8 100644 --- a/pkg/registry/registry.go +++ b/pkg/registry/registry.go @@ -19,7 +19,9 @@ func GetPullOptions(imageName string) (types.ImagePullOptions, error) { if auth == "" { return types.ImagePullOptions{}, nil } - log.Tracef("Got auth value: %s", auth) + + // CREDENTIAL: Uncomment to log docker config auth + // log.Tracef("Got auth value: %s", auth) return types.ImagePullOptions{ RegistryAuth: auth, diff --git a/pkg/registry/trust.go b/pkg/registry/trust.go index fa17bbc3b..9024777f9 100644 --- a/pkg/registry/trust.go +++ b/pkg/registry/trust.go @@ -38,7 +38,8 @@ func EncodedEnvAuth(ref string) (string, error) { Password: password, } log.Debugf("Loaded auth credentials for user %s on registry %s", auth.Username, ref) - log.Tracef("Using auth password %s", auth.Password) + // CREDENTIAL: Uncomment to log REPO_PASS environment variable + // log.Tracef("Using auth password %s", auth.Password) return EncodeAuth(auth) } return "", errors.New("registry auth environment variables (REPO_USER, REPO_PASS) not set") @@ -71,7 +72,8 @@ func EncodedConfigAuth(ref string) (string, error) { return "", nil } log.Debugf("Loaded auth credentials for user %s, on registry %s, from file %s", auth.Username, ref, configFile.Filename) - log.Tracef("Using auth password %s", auth.Password) + // CREDENTIAL: Uncomment to log docker config password + // log.Tracef("Using auth password %s", auth.Password) return EncodeAuth(auth) }