Browse Source

Mask passwords when printing/logging credentials (+test).

Marc CARRE 2 years ago
parent
commit
82c3b37f03
2 changed files with 12 additions and 0 deletions
  1. 4
    0
      registry/credentials.go
  2. 8
    0
      registry/credentials_test.go

+ 4
- 0
registry/credentials.go View File

@@ -123,3 +123,7 @@ func (cs Credentials) Merge(c Credentials) {
123 123
 		cs.m[k] = v
124 124
 	}
125 125
 }
126
+
127
+func (cs Credentials) String() string {
128
+	return fmt.Sprintf("{%v}", cs.m)
129
+}

+ 8
- 0
registry/credentials_test.go View File

@@ -110,3 +110,11 @@ func TestParseCreds_k8s(t *testing.T) {
110 110
 	assert.Equal(t, "testuser", c.credsFor(host).username, "User is incorrect")
111 111
 	assert.Equal(t, "testpassword", c.credsFor(host).password, "Password is incorrect")
112 112
 }
113
+
114
+func TestStringShouldNotLeakPasswords(t *testing.T) {
115
+	k8sCreds := []byte(`{"localhost:5000":{"username":"testuser","password":"testpassword","email":"foo@bar.com","auth":"dGVzdHVzZXI6dGVzdHBhc3N3b3Jk"}}`)
116
+	c, err := ParseCredentials("test", k8sCreds)
117
+	assert.NoError(t, err)
118
+	assert.Equal(t, "{map[localhost:5000:<registry creds for testuser@localhost:5000, from test>]}", fmt.Sprintf("%v", c)) // In comparison standard String() method typically yields: "{map[localhost:5000:{testuser testpassword localhost:5000 test}]}".
119
+	assert.Equal(t, "testpassword", c.credsFor("localhost:5000").password, "Password is incorrect")                        // Actual password is left untouched.
120
+}

Loading…
Cancel
Save