fix(registries): clear sensitive fields in the update handler BE-12215 (#1129)

2025-09-03 10:41:27 -03:00 · 2025-09-03 10:41:27 -03:00 · 3354ee4e4b
parent af3c45bea0
commit 3354ee4e4b
3 changed files with 122 additions and 0 deletions
--- a/api/http/handler/registries/registry_create_test.go
+++ b/api/http/handler/registries/registry_create_test.go
@ -1,10 +1,19 @@
 package registries

 import (
+	"bytes"
+	"net/http"
+	"net/http/httptest"
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+
+	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func Test_registryCreatePayload_Validate(t *testing.T) {
@ -43,3 +52,46 @@ func Test_registryCreatePayload_Validate(t *testing.T) {
 		assert.NoError(t, err)
 	})
 }
+
+func TestHandler_registryCreate(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	payload := registryCreatePayload{
+		Name:           "Test registry",
+		Type:           portainer.ProGetRegistry,
+		URL:            "http://example.com",
+		BaseURL:        "http://example.com",
+		Authentication: false,
+		Username:       "username",
+		Password:       "password",
+		Gitlab:         portainer.GitlabRegistryData{},
+	}
+	payloadBytes, err := json.Marshal(payload)
+	require.NoError(t, err)
+
+	r := httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(payloadBytes))
+	w := httptest.NewRecorder()
+
+	restrictedContext := &security.RestrictedRequestContext{IsAdmin: true, UserID: 1}
+
+	ctx := security.StoreRestrictedRequestContext(r, restrictedContext)
+	r = r.WithContext(ctx)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	handlerError := handler.registryCreate(w, r)
+	require.Nil(t, handlerError)
+
+	registry := portainer.Registry{}
+	err = json.NewDecoder(w.Body).Decode(&registry)
+	require.NoError(t, err)
+
+	assert.Equal(t, payload.Name, registry.Name)
+	assert.Equal(t, payload.Type, registry.Type)
+	assert.Equal(t, payload.URL, registry.URL)
+	assert.Equal(t, payload.BaseURL, registry.BaseURL)
+	assert.Equal(t, payload.Authentication, registry.Authentication)
+	assert.Equal(t, payload.Username, registry.Username)
+	assert.Empty(t, registry.Password)
+}
--- a/api/http/handler/registries/registry_update.go
+++ b/api/http/handler/registries/registry_update.go
@ -177,6 +177,8 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 		return httperror.InternalServerError("Unable to persist registry changes inside the database", err)
 	}

+	hideFields(registry, true)
+
 	return response.JSON(w, registry)
 }

--- a/api/http/handler/registries/registry_update_test.go
+++ b/api/http/handler/registries/registry_update_test.go
@ -0,0 +1,68 @@
+package registries
+
+import (
+	"bytes"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func ptr[T any](i T) *T { return &i }
+
+func TestHandler_registryUpdate(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	registry := &portainer.Registry{Type: portainer.ProGetRegistry}
+
+	err := store.Registry().Create(registry)
+	require.NoError(t, err)
+
+	payload := registryUpdatePayload{
+		Name:           ptr("Updated test registry"),
+		URL:            ptr("http://example.org/feed"),
+		BaseURL:        ptr("http://example.org"),
+		Authentication: ptr(true),
+		Username:       ptr("username"),
+		Password:       ptr("password"),
+	}
+
+	payloadBytes, err := json.Marshal(payload)
+	require.NoError(t, err)
+
+	r := httptest.NewRequest(http.MethodPut, "/registries/1", bytes.NewReader(payloadBytes))
+	w := httptest.NewRecorder()
+
+	restrictedContext := &security.RestrictedRequestContext{IsAdmin: true, UserID: 1}
+
+	ctx := security.StoreRestrictedRequestContext(r, restrictedContext)
+	r = r.WithContext(ctx)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	handler.ServeHTTP(w, r)
+	require.Equal(t, http.StatusOK, w.Code)
+
+	updatedRegistry := portainer.Registry{}
+	err = json.NewDecoder(w.Body).Decode(&updatedRegistry)
+	require.NoError(t, err)
+
+	// Registry type should remain intact
+	assert.Equal(t, registry.Type, updatedRegistry.Type)
+
+	assert.Equal(t, *payload.Name, updatedRegistry.Name)
+	assert.Equal(t, *payload.URL, updatedRegistry.URL)
+	assert.Equal(t, *payload.BaseURL, updatedRegistry.BaseURL)
+	assert.Equal(t, *payload.Authentication, updatedRegistry.Authentication)
+	assert.Equal(t, *payload.Username, updatedRegistry.Username)
+	assert.Empty(t, updatedRegistry.Password)
+}