fix(registries): clear sensitive fields in the update handler BE-12215 (#1129)

2025-09-03 10:41:27 -03:00 · 2025-09-03 10:41:27 -03:00 · 3354ee4e4b
parent af3c45bea0
commit 3354ee4e4b
3 changed files with 122 additions and 0 deletions
--- a/api/http/handler/registries/registry_create_test.go
+++ b/api/http/handler/registries/registry_create_test.go
@ -1,10 +1,19 @@
 package registries
 import (
 	"bytes"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func Test_registryCreatePayload_Validate(t *testing.T) {
@ -43,3 +52,46 @@ func Test_registryCreatePayload_Validate(t *testing.T) {
 		assert.NoError(t, err)
 	})
 }
 func TestHandler_registryCreate(t *testing.T) {
 	_, store := datastore.MustNewTestStore(t, false, false)
 	payload := registryCreatePayload{
 		Name:           "Test registry",
 		Type:           portainer.ProGetRegistry,
 		URL:            "http://example.com",
 		BaseURL:        "http://example.com",
 		Authentication: false,
 		Username:       "username",
 		Password:       "password",
 		Gitlab:         portainer.GitlabRegistryData{},
 	}
 	payloadBytes, err := json.Marshal(payload)
 	require.NoError(t, err)
 	r := httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(payloadBytes))
 	w := httptest.NewRecorder()
 	restrictedContext := &security.RestrictedRequestContext{IsAdmin: true, UserID: 1}
 	ctx := security.StoreRestrictedRequestContext(r, restrictedContext)
 	r = r.WithContext(ctx)
 	handler := NewHandler(testhelpers.NewTestRequestBouncer())
 	handler.DataStore = store
 	handlerError := handler.registryCreate(w, r)
 	require.Nil(t, handlerError)
 	registry := portainer.Registry{}
 	err = json.NewDecoder(w.Body).Decode(&registry)
 	require.NoError(t, err)
 	assert.Equal(t, payload.Name, registry.Name)
 	assert.Equal(t, payload.Type, registry.Type)
 	assert.Equal(t, payload.URL, registry.URL)
 	assert.Equal(t, payload.BaseURL, registry.BaseURL)
 	assert.Equal(t, payload.Authentication, registry.Authentication)
 	assert.Equal(t, payload.Username, registry.Username)
 	assert.Empty(t, registry.Password)
 }
--- a/api/http/handler/registries/registry_update.go
+++ b/api/http/handler/registries/registry_update.go
@ -177,6 +177,8 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 		return httperror.InternalServerError("Unable to persist registry changes inside the database", err)
 	}
 	hideFields(registry, true)
 	return response.JSON(w, registry)
 }
--- a/api/http/handler/registries/registry_update_test.go
+++ b/api/http/handler/registries/registry_update_test.go
@ -0,0 +1,68 @@
 package registries
 import (
 	"bytes"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func ptr[T any](i T) *T { return &i }
 func TestHandler_registryUpdate(t *testing.T) {
 	_, store := datastore.MustNewTestStore(t, false, false)
 	registry := &portainer.Registry{Type: portainer.ProGetRegistry}
 	err := store.Registry().Create(registry)
 	require.NoError(t, err)
 	payload := registryUpdatePayload{
 		Name:           ptr("Updated test registry"),
 		URL:            ptr("http://example.org/feed"),
 		BaseURL:        ptr("http://example.org"),
 		Authentication: ptr(true),
 		Username:       ptr("username"),
 		Password:       ptr("password"),
 	}
 	payloadBytes, err := json.Marshal(payload)
 	require.NoError(t, err)
 	r := httptest.NewRequest(http.MethodPut, "/registries/1", bytes.NewReader(payloadBytes))
 	w := httptest.NewRecorder()
 	restrictedContext := &security.RestrictedRequestContext{IsAdmin: true, UserID: 1}
 	ctx := security.StoreRestrictedRequestContext(r, restrictedContext)
 	r = r.WithContext(ctx)
 	handler := NewHandler(testhelpers.NewTestRequestBouncer())
 	handler.DataStore = store
 	handler.ServeHTTP(w, r)
 	require.Equal(t, http.StatusOK, w.Code)
 	updatedRegistry := portainer.Registry{}
 	err = json.NewDecoder(w.Body).Decode(&updatedRegistry)
 	require.NoError(t, err)
 	// Registry type should remain intact
 	assert.Equal(t, registry.Type, updatedRegistry.Type)
 	assert.Equal(t, *payload.Name, updatedRegistry.Name)
 	assert.Equal(t, *payload.URL, updatedRegistry.URL)
 	assert.Equal(t, *payload.BaseURL, updatedRegistry.BaseURL)
 	assert.Equal(t, *payload.Authentication, updatedRegistry.Authentication)
 	assert.Equal(t, *payload.Username, updatedRegistry.Username)
 	assert.Empty(t, updatedRegistry.Password)
 }