Merge pull request #1433 from buildpacks/sanitize-system-envs

When pack is run with --verbose, it should not print registry creds
buildpacks · May 5, 2022 · f7c167d · f7c167d
2 parents 04f7318 + 0385092
commit f7c167d
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/internal/build/phase_config_provider.go b/internal/build/phase_config_provider.go
@@ -68,7 +68,7 @@ func NewPhaseConfigProvider(name string, lifecycleExec *LifecycleExecution, ops
 	lifecycleExec.logger.Debugf("Running the %s on OS %s with:", style.Symbol(provider.Name()), style.Symbol(provider.os))
 	lifecycleExec.logger.Debug("Container Settings:")
 	lifecycleExec.logger.Debugf("  Args: %s", style.Symbol(strings.Join(provider.ctrConf.Cmd, " ")))
-	lifecycleExec.logger.Debugf("  System Envs: %s", style.Symbol(strings.Join(provider.ctrConf.Env, " ")))
+	lifecycleExec.logger.Debugf("  System Envs: %s", style.Symbol(strings.Join(sanitized(provider.ctrConf.Env), " ")))
 	lifecycleExec.logger.Debugf("  Image: %s", style.Symbol(provider.ctrConf.Image))
 	lifecycleExec.logger.Debugf("  User: %s", style.Symbol(provider.ctrConf.User))
 	lifecycleExec.logger.Debugf("  Labels: %s", style.Symbol(fmt.Sprintf("%s", provider.ctrConf.Labels)))
@@ -84,6 +84,18 @@ func NewPhaseConfigProvider(name string, lifecycleExec *LifecycleExecution, ops
 	return provider
 }
 
+func sanitized(origEnv []string) []string {
+	var sanitizedEnv []string
+	for _, env := range origEnv {
+		if strings.HasPrefix(env, "CNB_REGISTRY_AUTH") {
+			sanitizedEnv = append(sanitizedEnv, "CNB_REGISTRY_AUTH=<redacted>")
+			continue
+		}
+		sanitizedEnv = append(sanitizedEnv, env)
+	}
+	return sanitizedEnv
+}
+
 func (p *PhaseConfigProvider) ContainerConfig() *container.Config {
 	return p.ctrConf
 }

diff --git a/internal/build/phase_config_provider_test.go b/internal/build/phase_config_provider_test.go
@@ -329,6 +329,37 @@ func testPhaseConfigProvider(t *testing.T, when spec.G, it spec.S) {
 				h.AssertContainsMatch(t, outBuf.String(), `Binds: \'\S+:\S+layers \S+:\S+workspace'`)
 				h.AssertContains(t, outBuf.String(), "Network Mode: ''")
 			})
+
+			when("there is registry auth", func() {
+				it("sanitizes the output", func() {
+					authConfig := "some-auth-config"
+
+					var outBuf bytes.Buffer
+					logger := logging.NewLogWithWriters(&outBuf, &outBuf, logging.WithVerbose())
+
+					docker, err := client.NewClientWithOpts(client.FromEnv, client.WithVersion("1.38"))
+					h.AssertNil(t, err)
+
+					defaultBuilder, err := fakes.NewFakeBuilder()
+					h.AssertNil(t, err)
+
+					opts := build.LifecycleOptions{
+						AppPath: "some-app-path",
+						Builder: defaultBuilder,
+					}
+
+					lifecycleExec, err := build.NewLifecycleExecution(logger, docker, opts)
+					h.AssertNil(t, err)
+
+					_ = build.NewPhaseConfigProvider(
+						"some-name",
+						lifecycleExec,
+						build.WithRegistryAccess(authConfig),
+					)
+
+					h.AssertContains(t, outBuf.String(), "System Envs: 'CNB_REGISTRY_AUTH=<redacted> CNB_PLATFORM_API=0.4'")
+				})
+			})
 		})
 	})
 }